Home page logo

bugtraq logo Bugtraq mailing list archives

Re: (How) Does AntiSniff do what is claimed?
From: jmarler () ISTRENGTH NET (Jon Marler)
Date: Sun, 25 Jul 1999 15:54:22 -0500

On Sun, Jul 25, 1999 at 12:37:11AM +0100, Nick Lamb wrote:
How does AntiSniff detect sniffing?

will detect sniffing -- a green light from their product does NOT mean
you're not being sniffed.

If AntiSniff becomes popular, I'd estimate only a few months grace
before Black Hats have made a reduced-functionality sniffer which slips
under AntiSniff's radar. I don't have any use for such a tool, but if
I did I doubt I'd need more than a week or two to get it right.

We've had the same discussion in the nmap-hackers list.

All you would need to do to prevent detection is cut the send pair on your
Ethernet connection.  That would make it completely passive.  You could
even do it as simple as a cable with only 1 pair.

There is already a popular UN*X package that does promisc. detection.  It
is called hunt. (http://www.cri.cz/kra/index.html).  It also does MAC
spoofing, ARP collection, connection hijacking, etc ...  Hunt will allow
you to scan an entire range of IP addresses for "Sniffing".  Here is a
tcpdump -ne during a small promisc. scan :

15:48:09.785988 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: > icmp: echo request (DF)
15:48:09.786088 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: > icmp: echo request (DF)
15:48:09.786154 0:10:4b:7a:3d:32 ea:1a:de:ad:be:4 0800 106: > icmp: echo request (DF)

There is a package for hunt that is part of the 'potato' distribution of
Debian GNU/Linux.  I'm not aware of any RPM's.

jmarler () istrength net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]